Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks

• Muhstik botnet exploits a critical Apache RocketMQ flaw (CVE-2023-33246) forremote code execution, targeting Linux servers and IoT devices forDDoS attacks and cryptocurrency mining.
• Infection involves executing a shell script from a remote IP, downloading the Muhstik malware binary (“pty3”), and ensuring persistence by copying to multiple directories and editing system files.
• With over 5,000 vulnerable Apache RocketMQ instances still exposed, organizations mustupdate to the latest version to mitigate risks, while securing MS-SQL servers against brute-force attacks and ensuring regular password changes.

The distributed denial-of-service (DDoS) botnet known as Muhstik has been observed leveraging a now-patched security flaw impacting Apache RocketMQ to co-opt susceptible servers and expand its scale.

“Muhstik is a well-known threat targeting IoT devices and Linux-based servers, notorious for its ability to infect devices and utilize them for cryptocurrency mining and launching Distributed Denial of Service (DDoS) attacks,” cloud security firm Aqua said in a report published this week.

First documented in 2018, attack campaigns involving the malware have a history of exploiting known security flaws, specifically those relating to web applications, for propagation.

The latest addition to the list of exploited vulnerabilities is CVE-2023-33246 (CVSS score: 9.8), a critical security flaw affecting Apache RocketMQ that allows a remote and unauthenticated attacker to perform remote code execution by forging the RocketMQ protocol content or using the update configuration function.

Once the shortcoming is successfully abused to obtain initial access, the threat actor proceeds to execute a shell script hosted on a remote IP address, which is then responsible for retrieving the Muhstik binary (“pty3”) from another server.

“After gaining the ability to upload the malicious payload by exploiting the RocketMQ vulnerability, the attacker is able to execute their malicious code, which downloads the Muhstik malware,” security researcher Nitzan Yaakov said.

Persistence on the host is achieved by means of copying the malware binary to multiple directories and editing the /etc/inittab file – which controls what processes to start during the booting of a Linux server – to automatically restart the process.

What’s more, the naming of the binary as “pty3” is likely an attempt to masquerade as a pseudoterminal (“pty”) and evade detection. Another evasion technique is that the malware is copied to directories such as /dev/shm, /var/tmp, /run/lock, and /run during the persistence phase, which allows it to be executed directly from memory and avoid leaving traces on the system.

Muhstik comes equipped with features to gather system metadata, laterally move to other devices over a secure shell (SSH), and ultimately establish contact with a command-and-control (C2) domain to receive further instructions using the Internet Relay Chat (IRC) protocol.

The end goal of the malware is to weaponize the compromised devices to perform different types of flooding attacks against targets of interest, effectively overwhelming their network resources and triggering a denial-of-service condition.

With 5,216 vulnerable instances of Apache RocketMQ still exposed to the internet after more than a year of public disclosure of the flaw, it’s essential that organizations take steps to update to the latest version in order to mitigate potential threats.

“Moreover, in previous campaigns, cryptomining activity was detected after the execution of the Muhstik malware,” Yaakov said. “These objectives go hand in hand, as the attackers strive to spread and infect more machines, which helps them in their mission to mine more cryptocurrency using the electrical power of the compromised machines.”

The disclosure comes as the AhnLab Security Intelligence Center (ASEC) revealed that poorly secured MS-SQL servers are being targeted by threat actors to various types of malware, ranging from ransomware and remote access trojans to proxyware.

“Administrators must use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute-force attacks and dictionary attacks,” ASEC said. “They must also apply the latest patches to prevent vulnerability attacks.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.